If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

VTP Query

Hi Guys,
Just been reading about VTP and in theory its good thing to have enabled on switches due to VTP pruning and less overhead if you have multiple switches. However i work in an organisation where we dont have VLANs so i dont know if it (VTP) is good in practise or not? A lot of people ive spoken to have said they dont know anyone who uses VTP because if you misconfigure 1 switch it will propogate through the entire network and royally F#@) up the rest of the network. All the experienced network engineers out there who work in multiple VLAN environments can you pls let me know if you use VTP and reasons for doing/not doing so ?

thanks mate, i realise what VTP is and what it is used for.....my question was more towards experienced Network Engineers who look after multi VLAN environments, Do you use VTP ? and what are the adv and disadv of using it?

Originally posted here by tinu_karki thanks mate, i realise what VTP is and what it is used for.....my question was more towards experienced Network Engineers who look after multi VLAN environments, Do you use VTP ? and what are the adv and disadv of using it?

We used VLANs extensively at my previous job.. We had to use VTP because we used multiple switches on the same floor with several ports in different VLANs. We had a single VLAN (across all switches) for the printers i.e. and another VLAN (per floor) for the workstations.. Some workstations were placed in again another VLAN because of the different requirements..

Oliver's Law:
Experience is something you don't get until just after you need it.

Basically, VTP allows you to propagate your vlans accross trunked switches automatically.
For example, let's say you have switch A has vlans 10 20 and 30 configured and assigned to local interfaces, and that you add a switch B, which is linked by a trunk interface to switch A. Using VTP, untill you assign one of those vlans to an interface on switch B, tagged traffic will not be forwarded over the trunk (thus saving bandwidth); they are pruned off until required. This spares you the manual creation/replication and manual vlan trunk assignments of multiple switches.

So VTP all sounds nice and usefull... until it comes back with a vangance:

A switch can be configured in 3 vtp modes: server, client, transparent.

Transparent basically means VTP is not being used (it is however forwarded to other switches if received). This is the safe mode. (This is how you "turn off" vtp in fact)

Server and client are the dangerous modes:
The thing is, VTP configured switches store a VTP configuration revision number. Each manual configuration of vlans increments the revision number. When VTP info is propagated, the switch that has the highest revision number is deemed to be de most up to date and it's information prevales.
The classic disaster scenario goes like this:
- Network setup with VTP enabled switches, (client or server).
- Newbie network admin (re-)configures a new switch in the lab, plays with the vlans a bit.
- Said admin plugs the new switch in place, with vlans localy incorrectly configured, sets it to VTP client mode thinking VTP will propagated it anyways.
- Said admin doesn't realise that the new/reconfigured switch's VTP revision number is now HIGHER than that of the switches already in place.
- New switch starts propagating it's incorrect vlan info over VTP, with the other switches obliginly accepting the new, erreneous, vlans, deleting missing ones...
- Network screetches to a halt!
- Panic ensues!

This is such an easy mistake to do that many netadmins considers that risk to outweight the benefits. Many also just prefere to know exactly what will be trunked where and why by confiugring vlans/trunks manually...

Hi Guys,
Just been reading about VTP and in theory its good thing to have enabled on switches due to VTP pruning and less overhead if you have multiple switches. However i work in an organisation where we dont have VLANs so i dont know if it (VTP) is good in practise or not? A lot of people ive spoken to have said they dont know anyone who uses VTP because if you misconfigure 1 switch it will propogate through the entire network and royally F#@) up the rest of the network. All the experienced network engineers out there who work in multiple VLAN environments can you pls let me know if you use VTP and reasons for doing/not doing so ?

Thanks in advance guyz

VLANs are great! They are IMHO best used for security purposes. With VLANs you can have a single switch act like multiple multiple switches, and it can make mulitple switches act like they are one even though they are geographiclly seperated. VTP on the other hand is not so great, it is an aged protocol and is so bad that even Cisco is removing it from its newest routers. There is a replacement for it though, it is IEEE 802.1q.

If you already have a system set-up and it runs fine, leave it alone. But if you are looking to improve security and possibly some overhead you can look into VTP or 802.1q. A properly configured VTP system will allow you to segment your network a lot more! You can make everyone on floor 1 in vlan 10, and everyone on floor 2 on vlan 20, but you will need to get a router with sub-interfacing capabilities. When you make a vlan you are essentially making that VLAN into its own subnet, and a router is required to route between the 2 "subnets"/VLANs. If you do this I would strongly recommend that you look at your server allocations for making the VLAN boundries. If you put a server in VLAN 10 that VLAN 20 uses a lot you are actually making more work! A packet goes through the switch with VLAN 20 (is analyzed to see if it goes here) into the router (the router now has to dencapsulate the packet and then re-encapsulate with the new VLAN number) and back into switch with VLAN 10 to the server; back into switch with VLAN 10 to the router (the router now has to dencapsulate the packet and then re-encapsulate with the new VLAN number, again) to the switch using VLAN 20 then to you computer. This will happen even if the server is in port 10 and the computer on vlan 20 is in port 11 of the same switch, except it will come right back from the router with a new number instead of a different switch.

The VLAN propagation issues with misconfig is easy to stop as long as you are watching when you plug in a new switch, just have a ping going continuously before putting the new switch in and then watch if for ~10 minutes to see if it took correctly.

VLANs are worth it if you can segment your like resources easily, having floor 1 with all of its servers and clients on a single VLAN and connected with only switches in the path will save you a lot of the routers bandwidth, but incorrect server placement or misconfig will kill your network.

While it's great that you seem eager to contribute to the community's knowledge, some of your post's informations are mistaken:

Originally posted here by NewDis VTP on the other hand is not so great, it is an aged protocol and is so bad that even Cisco is removing it from its newest routers. There is a replacement for it though, it is IEEE 802.1q.

Incorrect:
- VTP continues to be on Cisco's switches;
- 802.1q is not a replacement for VTP: 802.1q is a vlan trunking protocol (defines the tagging headers), while VTP is a vlan configuration protocol (replicates / propagates / prunes the creation of vlan instances on neighboring switches).
- 802.1q is a ieee standardised alternative to cisco's proprietary ISL protocol.
- VTP could be considered complementary to a trunking protocol, dispensing the admin from manual creation of vlans (and trunk / vlan assignment), but with the dangers mentionned in my post.

If you already have a system set-up and it runs fine, leave it alone. But if you are looking to improve security and possibly some overhead you can look into VTP or 802.1q. A properly configured VTP system will allow you to segment your network a lot more!

Same confusion between vtp/802.1q, but true otherwise...

You can make everyone on floor 1 in vlan 10, and everyone on floor 2 on vlan 20, but you will need to get a router with sub-interfacing capabilities. When you make a vlan you are essentially making that VLAN into its own subnet, and a router is required to route between the 2 "subnets"/VLANs. If you do this I would strongly recommend that you look at your server allocations for making the VLAN boundries. If you put a server in VLAN 10 that VLAN 20 uses a lot you are actually making more work! A packet goes through the switch with VLAN 20 (is analyzed to see if it goes here) into the router (the router now has to dencapsulate the packet and then re-encapsulate with the new VLAN number) and back into switch with VLAN 10 to the server; back into switch with VLAN 10 to the router (the router now has to dencapsulate the packet and then re-encapsulate with the new VLAN number, again) to the switch using VLAN 20 then to you computer. This will happen even if the server is in port 10 and the computer on vlan 20 is in port 11 of the same switch, except it will come right back from the router with a new number instead of a different switch.

A valid concern, although this example only describes the situation of a "router-on-a-stick" topology.
Now a days, most networks making use of Vlans will use layer 3 switches (monsters like catalysts 6500's for richer bloods) to reduce the additional router hop and latency incured from the routing, with many layer 3 switches offering near wirespeed routing.

The VLAN propagation issues with misconfig is easy to stop as long as you are watching when you plug in a new switch, just have a ping going continuously before putting the new switch in and then watch if for ~10 minutes to see if it took correctly.

This is illadvised.
Your ping will only tell you that you've messed up big time, and by then it'll be too late.
In much less than those 10 minutes you could have killed all vlans on a network of dozens or hundreds of switches. Have fun runing around fixing those, then explaining to your boss what happened.

VLANs are worth it if you can segment your like resources easily, having floor 1 with all of its servers and clients on a single VLAN and connected with only switches in the path will save you a lot of the routers bandwidth, but incorrect server placement or misconfig will kill your network.

True, but there's also more to it when it comes to determining the layer 2/3 boundaries, like redundancy concerns (STP vs routing protocols)...